Ubuntu Security Notice USN-200-1 - Multiple vulnerabilities exist in the mozilla-thunderbird package. A buffer overflow was discovered in the XBM image handler. By tricking an user into opening a specially crafted XBM image, an attacker could exploit this to execute arbitrary code with the user's privileges. Mats Palmgren discovered a buffer overflow in the Unicode string parser. Unicode strings that contained zero-width non-joiner characters caused a browser crash, which could possibly even exploited to execute arbitrary code with the user's privileges. Georgi Guninski reported an integer overflow in the JavaScript engine. This could be exploited to run arbitrary code under some conditions. Peter Zelezny discovered that URLs which are passed to Thunderbird on the command line are not correctly protected against interpretation by the shell. If Thunderbird is configured as the default handler for mailto: URLs, this could be exploited to execute arbitrary code with user privileges by tricking the user into clicking on a specially crafted URL (for example, in an email or chat client).

Mandriva Linux Security Update Advisory - A number of vulnerabilities have been discovered in Mozilla Firefox that have been corrected in version 1.0.7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: mozilla-firefox
Advisory ID: MDKSA-2005:169
Date: September 26th, 2005
Affected versions: 10.2
______________________________________________________________________
Problem Description:
A number of vulnerabilities have been discovered in Mozilla Firefox
that have been corrected in version 1.0.7:
A bug in the way Firefox processes XBM images could be used to execute
arbitrary code via a specially crafted XBM image file (CAN-2005-2701).
A bug in the way Firefox handles certain Unicode sequences could be
used to execute arbitrary code via viewing a specially crafted Unicode
sequence (CAN-2005-2702).
A bug in the way Firefox makes XMLHttp requests could be abused by a
malicious web page to exploit other proxy or server flaws from the
victim's machine; however, the default behaviour of the browser is to
disallow this (CAN-2005-2703).
A bug in the way Firefox implemented its XBL interface could be abused
by a malicious web page to create an XBL binding in such a way as to
allow arbitrary JavaScript execution with chrome permissions
(CAN-2005-2704).
An integer overflow in Firefox's JavaScript engine could be manipulated
in certain conditions to allow a malicious web page to execute
arbitrary code (CAN-2005-2705).
A bug in the way Firefox displays about: pages could be used to execute
JavaScript with chrome privileges (CAN-2005-2706).
A bug in the way Firefox opens new windows could be used by a malicious
web page to construct a new window without any user interface elements
(such as address bar and status bar) that could be used to potentially
mislead the user (CAN-2005-2707).
A bug in the way Firefox proceesed URLs on the command line could be
used to execute arbitary commands as the user running Firefox; this
could be abused by clicking on a supplied link, such as from an instant
messaging client (CAN-2005-2968).
The updated packages have been patched to address these issues and all
users are urged to upgrade immediately.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2701
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2702
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2703
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2705
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2707
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2968
http://www.mozilla.org/security/announce/mfsa2005-58.html
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.2:
aa128125581323ada6917cf71d73af73 10.2/RPMS/libnspr4-1.0.2-9.1.102mdk.i586.rpm
c91875aae8fbfb23c684443111ab2bfb 10.2/RPMS/libnspr4-devel-1.0.2-9.1.102mdk.i586.rpm
09d4afd21b17bc091c9087f8669d439b 10.2/RPMS/libnss3-1.0.2-9.1.102mdk.i586.rpm
f287c600ffa5bef0a7865b8942f82223 10.2/RPMS/libnss3-devel-1.0.2-9.1.102mdk.i586.rpm
78491507510c36caa971c5667a0b39eb 10.2/RPMS/mozilla-firefox-1.0.2-9.1.102mdk.i586.rpm
37a3d3d39c3f29a8a20c062e56ade3eb 10.2/RPMS/mozilla-firefox-devel-1.0.2-9.1.102mdk.i586.rpm
d78f74a900992ad5e0904da8b17ba78b 10.2/SRPMS/mozilla-firefox-1.0.2-9.1.102mdk.src.rpm
Mandrakelinux 10.2/X86_64:
895038bb470beda14c6de3fa5f3fc5ce x86_64/10.2/RPMS/lib64nspr4-1.0.2-9.1.102mdk.x86_64.rpm
d0a573b27841bcb358b7a5bf99867fda x86_64/10.2/RPMS/lib64nspr4-devel-1.0.2-9.1.102mdk.x86_64.rpm
aa128125581323ada6917cf71d73af73 x86_64/10.2/RPMS/libnspr4-1.0.2-9.1.102mdk.i586.rpm
c91875aae8fbfb23c684443111ab2bfb x86_64/10.2/RPMS/libnspr4-devel-1.0.2-9.1.102mdk.i586.rpm
b86a14e377368e647a408218871924c7 x86_64/10.2/RPMS/lib64nss3-1.0.2-9.1.102mdk.x86_64.rpm
4bdabb56ef5f8eb4058fcfeca56aba79 x86_64/10.2/RPMS/lib64nss3-devel-1.0.2-9.1.102mdk.x86_64.rpm
09d4afd21b17bc091c9087f8669d439b x86_64/10.2/RPMS/libnss3-1.0.2-9.1.102mdk.i586.rpm
f287c600ffa5bef0a7865b8942f82223 x86_64/10.2/RPMS/libnss3-devel-1.0.2-9.1.102mdk.i586.rpm
1988da499fd2b06805d6aea3deb0ed72 x86_64/10.2/RPMS/mozilla-firefox-1.0.2-9.1.102mdk.x86_64.rpm
c7e70731b9873ebbe6eab2046ecdfe68 x86_64/10.2/RPMS/mozilla-firefox-devel-1.0.2-9.1.102mdk.x86_64.rpm
d78f74a900992ad5e0904da8b17ba78b x86_64/10.2/SRPMS/mozilla-firefox-1.0.2-9.1.102mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDOMJHmqjQ0CJFipgRAoBtAKDSjceCU6aIIjgQRD6Ihojew6RB2gCdGoHp
ayU11aK6Xq6oIbophmTk96U=
=MQPT
-----END PGP SIGNATURE-----

-
不受影响的程序版本

-
漏洞讨论

Mozilla Browser/Firefox are prone to a potential arbitrary code-execution weakness.

Specifically, an attacker can load privileged 'chrome' pages from an unprivileged 'about:' page. This issue does not pose a threat unless it is combined with a same-origin violation issue.

If successfully exploited, this issue may allow a remote attacker to execute arbitrary code and gain unauthorized remote access to a computer. This would occur in the context of the user running the browser.

-
漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com